I really like the way the required parameters are broken out in the Secretless documentation, so I often refer back to that page to get these values.
In general, if your Conjur service is running in Kubernetes (and has an associated K8s
service resource defined) then you can define:
|The URL of the Conjur service API endpoint reachable from within the cluster.
||For most Kubernetes clusters, the endpoint follows this pattern:
https://[Conjur Service Name].[Conjur Namespace].svc.cluster.local/
|This is the authentication endpoint for the specific authenticator your app should be using.
||If your authenticator name is
$AUTHENTICATOR_NAME, then the value of this variable has the form:
URLENCODED_AUTHENTICATOR_NAME is the url-encoded version of
|The Conjur host identity your app should be authenticating as.
||The specific value will depend on how you’ve set up your authn-k8s policy; an example is if you’ve chosen to use service account-scoped identities, then a common configuration has the host set to
host/conjur/authn-k8s/AUTHENTICATOR_NAME/apps/APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT where your app is defined in the
conjur/authn-k8s/AUTHENTICATOR_NAME/apps/ policy branch and is going to be deployed to the
APP_NAMESPACE K8s namespace with a service account named
I hope this is helpful, but please feel free to follow up if you have further questions. For example, my answer for the
CONJUR_AUTHN_LOGIN parameter can be made more specific if you share more details about the policy you’re using to define your Kubernetes authenticator.